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Abstract 

Ensuring the reliability of multithreaded software systems is difHcult due to the interaction 
between threads. This paper describes the design and implementation of a static checker for 
such systems. To avoid considering all possible thread interleavings, the checker uses assume- 
guarantee reasoning, and relies on the programmer to specify an environment assumption that 
constrains the interaction between threads. Using this environment assumption, the checker 
reduces the verification of the original multithreaded program to the verification of several se- 
quential programs, one for each thread. These sequential programs are subsequently analyzed 
using extended static checking techniques (based on verification conditions and automatic the- 
orem proving). Experience indicates that the checker is capable of handling a range of synchro- 
nization disciplines. In addition, the required environment assumptions are simple and intuitive 
for common synchronization idioms. 

1 Introduction 

Ensuring the reliability of critical software systems is an important but extremely difficult task. A 

number of useful tools and techniques have been developed for reasoning about sequential systems. 
Unfortunately, these sequential analysis tools are not applicable to many critical software systems 
because such systems are often multithreaded. The presence of multiple threads significantly com- 
plicates the analysis because of the potential for interference between threads; each atomic step of 
a thread can influence the subsequent behavior of other threads. 

For multithreaded programs, more complex analysis techniques are necessary. The classical 
assertional approach [Ash75, OG76, Lam77, Lam88] requires control predicates at each program 
point to specify the reachable program states, but the annotation burden for using this approach 
is high. Some promising tools [CDH+00, YahOl] use model checking and abstract interpretation to 
infer the reachable state set automatically, but the need to consider all possible thread interleavings 
may hinder scaling these tools to large programs. 

A more modular and scalable approach is assume-guarantee reasoning, in which each compo- 
nent is verified separately using a specification of the other components [MC81, Jon83a]. Several 
researchers have presented assume-guarantee proof rules (see Section 2), and some verification tools 
that support assume-guarantee reasoning on hardware have recently appeared [McM97, AHM+98]. 
However, tools for assume-guarantee reasoning on realistic software systems do not exist. 

In this paper, we describe the design and implementation of a static checker for multithreaded 
programs, based on an assume-guarantee decomposition. This checker is targeted to the verification 
of actual implementations of software systems, as opposed to logical models or abstractions of 
these systems. The checker relies on the programmer to specify, for each thread, an environment 
assumption that models the interference caused by other threads. This environment assumption is 
an action, or two-store relation, that constrains the updates to the shared store by interleaved atomic 
steps of other threads. The atomic steps of each thread are also required to satisfy a corresponding 
guarantee condition that implies the assumption of every other thread. 

Using these assumptions and guarantees, our checker translates each thread into a sequential 
program that models the behavior of that thread precisely and uses the environment assumption 
to model the behavior of other threads. Thus, our assume-guarantee decomposition reduces the 
verification of a program with n threads to the verification of n sequential programs. This thread- 
modular decomposition allows our tool to leverage extended static checking techniques [DLNS98] 
(based on verification conditions and automatic theorem proving) to check the resulting sequential 
programs. 
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We have implemented our checker for multithreaded programs written in the Java programming 

language [AG96], and wc have successfully applied this checker to a number of programs. These 
programs use a variety of synchronization mechanisms, ranging from simple mutual exclusion locks 
to more complex idioms found in systems code, including a subtle synchronization idiom used in the 

distributed file system Frangipani [TML97] . 

Experience with this implementation indicates that our analysis has the following useful features: 

1. It naturally scales to programs with many threads since each thread is analyzed separately. 

2. For programs using common synchronization idioms, such as mutexes or reader-writer locks, 

the necessary annotations are simple and intuitive. 

3. Control predicates can be expressed in our analysis by explicating the program counter of each 
thread as an auxiliary variable. Therefore, theoretically our method is as expressive as the 
Owicki-Gries method. However, for many common cases, such as those appearing in Section 6, 

our method requires significantly fewer annotations. 

The remainder of the paper proceeds as follows. The following section describes related work on 
assume-guarantee reasoning and other tools for detecting synchronization errors. Section 3 intro- 
duces Plato, an idealized language for parallel programs that we use as the basis for our development. 
Section 4 provides a formal definition of thread-modular verification. Section 5 applies thread- 
modular reasoning to the problem of invariant verification. Section 6 describes our implementation 
and its application to a number of example programs. We conclude in Section 7. 

2 Background 

One of the earliest assume-guarantee proof rules was developed by Misra and Chandy [MC81] for 
message-passing systems, and later refined by others (see, for example, [Jon89, MM93]). However, 
their message-passing formulation is not directly applicable to shared-memory software. 

Jones [Jon83a, Jon83b] gave a proof rule for multithreaded shared-memory programs and used 
it to manually refine an assume-guarantee specification down to a program. We extend his work 
to allow the proof obligations for each thread to be checked mechanically by an automatic theorem 
prover. Stark [Sta85] also presented a rule for shared-memory programs to deduce that a conjunction 
of assume-guarantee specifications hold on a system provided each specification holds individually, 
but his work did not allow the decomposition of the implementation. 

Abadi and Lamport [AL95] view the composition of components as a conjunction of temporal 
logic formulas [Lam94] describing them, and they present a rule to decompose such systems. Since 
threads modifying shared variables cannot be viewed as components in their framework, their work 
is not directly applicable to our problem. CoUette and Knapp [CK95] extended the rule of Abadi 
and Lamport to the more operational setting of Unity [CM88] specifications. 

Alur and Henzinger [AH96] and McMillan [McM97] present assume-guarantee proof rules for 
hardware components. A number of other compositional proof rules not based on assume-guarantee 
reasoning have also been proposed, such as [BKP84, CM88, MP95]. 

Yahav [YahOl] describes a method to model check multithreaded programs using a 3-valued 
logic [SRW99, LASOO] to abstract the store. This technique can verify interesting properties of 
small programs. Pasareanu et al. [PDH99] also describe a model checking tool for compositional 
checking of finite-state message-passing systems. Abraham-Mumm and deBoer [AMdBOO] sketch 
a logic for verifying multi-threaded Java programs indirectly via a translation to communicating 
sequential programs. 
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A number of tools have been developed for identifying specific synchronization errors in mul- 
tithreaded programs. These approaches are less general than thread- modular verification and use 
specific analysis techniques to locate specific errors, such as data races and deadlocks. For exam- 
ple, RCC/Java [FFOO] is an annotation-based checker for Java that uses a type system to identify 
data races [FA99]. While this tool is successful at finding errors in large programs, the inability 
to specify subtle synchronization patterns results in many false alarms [FFOl]. ESC/ Java [LSS99], 
Warlock [Ste93], and the dynamic testing tool Eraser [SBN+97] are other tools in this category, and 
are discussed in an earlier paper [FFOO]. 

3 The Parallel Language Plato 

We present thread- modular verification in terms of the idealized language Plato (parallel language of 
atomic operations). A Plato program P is a parallel composition 5i | • • • \ Sn of several statements, 
or threads. The program executes by interleaving atomic steps of its various threads. The threads 
interact through a shared store a, which maps program variables to values. The sets of variables 
and values are left intentionally unspecified, as they are mostly orthogonal to our development. 

Statements in the Plato language include the empty statement skip, sequential composition 
Si; S2, the nondeterministic choice construct 5*1 □ 6*2, which executes either Si or ^2, and the iteration 



statement S*, which executes S some arbitrary number of times. 
Plato syntax 


S £ Stmt ::= skip no operation P 


e 


Program 


■■:= Sl\ ■■■ \Sn 


\ X lY atomic operation a 


e 


Store 


= Var — » Value 


1 SOS nondeterministic choice X, Y 


e 


Action 


C Store X Store 


1 S; S composition 








1 S* nondeterministic iteration 









Perhaps the most notable aspect of Plato is that it does not contain constructs for conventional 
primitive operations such as assignment and lock acquire and release operations. Instead, such 
primitive operations are combined into a general mechanism called an atomic operation X I Y, 
where X and Y are aetions, or two-store predicates. The action X is a constraint on the transition 
from the pre-store a to the post-store a', and Y is an assertion about this transition. 

To execute the atomic operation X I Y, an arbitrary post-store a' is chosen that satisfies the 
constraint X((7,(7'). There are two possible outcomes: 

1. If the assertion Y{a, a') holds, then the atomic operation terminates normally, and the execu- 
tion of the program continues with the new store a'. 

2. If the assertion Y{a, a') does not hold, then the execution goes wrong. 

If no post-store a' satisfies the constraint X{a,a'), then the thread is blocked, and the execution 
can proceed only on the other threads. 

In an atomic operation, we write each action as a formula in which primed variables refer to their 
value in the post-store a', and unprimed variables refer to their value in the pre-store a. In addition, 
for any action X and set of variables V C Var, we use the notation {X)v to mean the action that 
satisfies X and only allows changes to variables in V between the pre-store and the post-store. We 
abbreviate the common case (X)0 to {X) and also abbreviate {X)^a} to {X)a- 

Atomic operations can express many conventional primitives, such as assignment, assert, and 
assume statements (see below). Atomic operations can also express other primitives, in particular 
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lock acquire and release operations. We assume that each lock is represented by a variable and that 
each thread has a unique nonzero thread identifier. If a thread holds a lock, then the lock variable 
contains the corresponding thread identifier; if the lock is not held, then the variable contains zero. 
Under this representation, acquire and release operations for lock mx and thread i are shown below. 
Finally, Plato can also express traditional control constructs, such as if and while statements. 

Expressing conventional constructs in Plato 



X : = 


e 


def 


(x' = e)x i true 


acq(mx) 


def 


(mx = 0 A mx' = i)inx i true 


assert 


e 


def 


(true) I e 


rel(mx) 


def 


(mx' = 0)mx J, (mx = i) 


assume 


e 


def 


(e) I true 


if {e){S} 


def 


(assume e; S')D(assume ^e) 










while (e) { S } 


def 


(assume e; S)*; (assume -^e) 



3.1 Formal Semantics 

The execution of a program is defined as an interleaving of the executions of its individual, sequential 
threads. A sequential state $ is either a pair of a store and a statement, or the special state wrong 
(indicating that the execution went wrong by failing an assertion). The semantics of individual 
threads is defined via the transition relation $ —f^ defined in the figure below. 

A parallel state G is either a pair of a store and a program (representing the threads being 
executed), or the special state wrong. The transition relation Q — s-p Q on parallel states executes 
a single sequential step of an arbitrarily chosen thread. If that sequential step terminates normally, 
then execution continues with the resulting post-state. If the sequential step goes wrong, then so 
does the entire execution. 

Formal semantics of Plato 

$ € SeqState ::= (<t, 5) | wrong 6 € ParState ::= (a, P)|wrong 

[action ok] [action wrong] [choice] 

X(a,a') Y{a,a') X(a,a') -^Y(a,a') «G{1,2} 



(a',skip) (a, X i F) wrong (a, Si OS's) (a, Si) 

[loop done] [loop unroll] [ASSOC] 



{a, S') {(T, skip) {a, S') (cT, S; S") {a, (Si; S2); S3) {a, Si; (S2; S3)) 

[SEQ step] [SEQ skip] [SEQ WRONG] 

(a, Si) -^s (a, S[) {a, Si) wrong 



(<7, Si;S2) (o" ,Si;S2) (a, skip; S) —»s (cr, S) (cr, Si; S2) —»s wrong 

[parallel] [parallel wrong] 

{a, Si) (cr', so {a, Si) wrong 



(cT,Si I ••• I Si I ••• I S„) (<T,Si I ••• I Si I ••• I S„)^p wrong 

^p(a',Si I ••• I S'i I ••• I S„) 
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4 Thread- Modular Verification 



We reason about a parallel program P = Si \ ■ ■ ■ | 5„ by reasoning about each thread in P separately. 
For each thread i, we specify two actions - an environment assumption Ai and a guarantee Gj. The 
assumption of a thread is a specification of what transitions may be performed by other threads in 
the program. The guarantee of a thread is required to hold on every action performed by the thread 
itself. To ensure the correctness of the assumptions, we require that the guarantee of each thread 
be stronger than the assumption of every other thread. In addition, to accommodate effect-free 
transitions, we require each assumption and guarantee to be reflexive. The precise statement of 
these requirements is as follows: 

1. Ai and Gi are reflexive for all i G l..n. 

2. Gi C Aj for all i,j G l..n such that i ^ j. 

If these requirements are satisfled, then (^i, d), . . . , (A„, Gn) is an assume- guarantee decomposition 
for P. 

We next deflne the translation IS]q of a statement S with respect to an assumption A and a 
guarantee G. This translation verifles that each atomic operation of S satisfles the guarantee G. In 
addition, the translation inserts the iterated environment assumption A* as appropriate to model 
atomic steps of other threads. 

!•]! : Stmt X Action x Action Stmt 

[skipl^ = A* 

IXlYj^ = A*;X i{Y AG):A* 

lSiaS2U = A*;{lSi]MS2U) 
lS*j^ = A*;{{lSj^;A*r;A*) 



We use this translation and the assume-guarantee decomposition to abstract each thread i of the 
parallel program P into the sequential program 15^]^' , called the i-ahstraction of P. For any thread 
i, if Ai models the environment of thread i and the sequential ^-abstraction of P does not go wrong, 
then we conclude that the corresponding thread Si in P does not go wrong and also satisfies the 
guarantee Gi. Thus, if none of the ^-abstractions go wrong, then none of the threads in P go wrong. 
This property is formalized by the following theorem; its correctness proof avoids circular reasoning 
by using induction over time. (An extended report containing the proof of theorems in this paper 
is in available at http://www.research.coinpaq.com/SRC/personal/freund/tinv-draft.ps.) 

Theorem 1 (Thread-Modular Verification) Let P = Si \ ■ ■■ \ Sn be a parallel program with 
assume-guarantee decomposition {Ai,Gi), ... , (^„,G„). For alia € Store, if\/i € l..n. {a, ISijQ') -/^* 
wrong, then (ct, P) -/^* wrong. 

This theorem allows us to decompose the analysis of a parallel program 5*1 | • • • \ Sn into analyses 
of individual threads by providing an assume-guarantee decomposition {Ai, Gi), . . . , {An, Gn)- In 
practice, we only require the programmer to specify refiexive assumptions Ai, . . . , A„, and we derive 
the corresponding refiexive guarantees by 

Gi = {\/j€l..n.jj^i^Aj). 
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For all examples we have considered, the natural assumptions are transitive in addition to being 

reflexive. This allows us to optimize the iterations A* in each i-abstraction to simply the action Ai. 
In addition, the n environment assumptions Ai,. . . , An for a program with n threads can typically 
be conveniently expressed as a single action parameterized by thread identifier, as shown below. 



4. 1 Example 



To illustrate Theorem 1, consider the following program SimpleLock. The program manipulates two 
shared variables, an integer x and a lock mx. To synchronize accesses to x, each thread acquires the 
lock mx before manipulating x. The correctness condition we would like to verify is that Threadi 
never goes wrong by failing the assertion x > 1. 

SimpleLock program, desugared Threadi, soad [Threadi] 



Threadi 



Thread2 : 



acq(mx); acq(mx); 
X := X * x; X := 0; 
X := X + 2; reKmx); 
assert x > 1; 
rel(mx); 



Desugared Threadi : 
(mx = 0 A mx' = l)mx ; 
(x' = X * x)x; 
(x = X + 2)x; 
(true) J. (x > 1); 
(mx' = 0)inx i (mx = 1) 



[Threadi]^; 



Ai 
Ai 
Ai 
Ai 



{mx = 0 A mx' = l)mx i Gi ; 
(x' = X * x)x i Gi ; 
(x' = x + 2)x i Gi ; 
(true) i (x > 1 AGi); 
(mx' = 0)mx i (mx = 1 A Gi); 



The synchronization discipline in this program is that if a thread holds the lock mx, then the 
other thread cannot modify either the variable x or the lock variable mx. This discipline is formalized 
by the following environment assumption for thread identifier i S 1..2; 

Ai = (mx = « mx' = i A x' = x) 

The corresponding guarantees are Gi = A^ and = A\. Since A\ is reflexive and transitive, we 
can optimize both and A\ ; A\ to A\ in the 1-abstraction of SimpleLock, shown above. 

Verifying the two i-abstractions of SimpleLock is straightforward, using existing analysis tech- 
niques for sequential programs. In particular, our checker uses extended static checking to verify 
that the two sequential i-abstractions of SimpleLock do not go wrong. Thus, the hypotheses of 
Theorem 1 are satisfied, and we conclude that the parallel program SimpleLock does not fail its 
assertion. 



5 Invariant Verification 

In the previous section, we showed that the SimpleLock program does not fail its assertion. In many 
cases, we would also like to show that a program preserves certain data invariants. This section 
extends thread- modular verification to check data invariants on a parallel program P = S\\ ... | 5„. 
We use Init C Store to describe the possible initial states of P, and we say that a set of states / is 
an invariant of P with respect to Init if for each a G Init, if (<j, P) ^* (a', P'), then a' & I. 

To show that I is an invariant of P, it sufiices to show that I holds initially (i.e., Init C 7), 
and that / is preserved by each transition of P. We prove the latter property using thread-modular 
verification, where the guarantee Gj of each thread satisfies the property 

Gi {I^I'). 
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In this formula, the predicate / denotes the action where I holds in the pre-state, and the post-state 
is unconstrained; similarly, /' denotes the action where the pre-state is unconstrained, and I holds 
in the post-state. Thus, / /' is the action stating that / is preserved. 

The following theorem formalizes the application of thread-modular reasoning to invariant veri- 
fication. 

Theorem 2 (Invariant Verification) Let P = Si \ ■ ■ ■ | S'„ 6e a parallel program with assume- 
guarantee decomposition (Ai, Gi), . . . , {An, Gn), and let Init and I be sets of stores. Suppose: 

1. Init C I 

2. \/i e l..n. Gi^{I^ I') 

3. \/i e l..n. V(T e Init. {a, [5^]^'.) y^* wrong 
Then I is an invariant of P with respect to Init. 

In practice, we apply this theorem by requiring the programmer to supply the invariant / and the 
parameterized environment assumption Aj. We derive the corresponding parameterized guarantee: 

Gi = iyjGl..n.jy^i^Aj)A{I^l') 

The guarantee states that each atomic step of a thread satisfies the assumptions of the other threads 
and also preserves the invariant. Since each step preserves the invariant, we can strengthen the 
environment assumption to: 

Bi = A,A{I^I') 

The resulting assume-guarantee decomposition {Bi,Gi), . . . , G„) is then used in the application 
of Theorem 2. The first condition of that theorem, that Init C J, can be checked using a theorem 
prover [Nel81]. The second condition, that Vz e l..n. Gi (/ =^ /'), follows directly from the 
definition of G,. The final condition (similar to the condition of Theorem 1), that each sequential 
i-abstraction l^ij^' does not go wrong from any initial store in Init, can be verified using extended 
static checking. The following section describes our implementation of a checker for parallel programs 
that supports thread modular and invariant verification. 

6 Implementation and Applications 

We have implemented an automatic checker for parallel, shared-memory programs. This checker 
takes as input a Java program, together with annotations describing appropriate environment as- 
sumptions, invariants, and asserted correctness properties. The input program is first translated 
into an intermediate representation language similar to Plato, and then the techniques of this paper 
are applied to generate an i-abstraction, which is parameterized by the thread identifier i. The 
checker optimizes this i-abstraction using a number of techniques. In particular, the checker uses an 
automatic theorem prover to verify that the environment assumption Ai is reflexive and transitive 
and then optimizes each iterated environment assumption A* to A; . 

Once optimized, the z-abstraction is then converted into a verification condition [Dij75, FSOl]. 
When generating this verification condition, procedure calls are handled by inlining, and loops 
are translated either using a programmer-supplied loop invariant, or in an unsound, but useful, 
manner by unrolling loops some finite number of times [LSS99]. The automatic theorem prover 
Simplify [Nel81], is invoked to check the validity of this verification condition. 
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If the verification condition is valid, then the parameterized i-abstraction does not go wrong, 
and hence the original Java program preserves the stated invariants and assertions. Ahernatively, 
if the verification condition is invalid, then the theorem prover generates a counterexample, which 
is then post-processed into an appropriate error message in terms of the original Java program. 
Typically, the error message either identifies an atomic step that may violate one of the stated 
invariants or environment assumptions, or identifies an assertion that may go wrong. This assertion 
may either be explicit, as in the example programs, or may be an implicit assertion, for example, 
that a dereferenced pointer is never null. 

The implementation of our checker leverages extensively off the Extended Static Checker for 
Java, which is a powerful checking tool for sequential Java programs. For more information regarding 
ESC/ Java, we refer the interested reader to related documents [DLNS98, LSS99, ExtOl]. 

In the next three subsections, we describe the application of our checker to parallel programs using 
various kinds of synchronization. Due to space restrictions, these examples are necessarily small, but 
our checker has also been applied to significantly larger programs. In each of the presented examples, 
we state the necessary annotations: the assumptions Aj for each thread i and the invariant / to be 
proved. Given these annotations, our checker can automatically verify each of the example programs. 
For consistency with our earlier development, these programs are presented using Plato syntax. 

6.1 Dekker's Mutual Exclusion Algorithm 

Our first example is Dekker's algorithm, a classic algorithm for mutual exclusion that uses subtle 
synchronization. 



Dekkei''s mutual exclusion algorithm 



1 

Variables: 




Threadi : 


Thread2 : 


boolean 


ai; 


while (true) { 


while (true) { 


boolean 


ag; 


ai := true; 


a2 := true; 


boolean 


csi ; 


csi := ^32; 


CS2 := ^ai ; 


boolean 


CS2; 


if (csi) { 


if (CS2) { 






// critical section 


// critical section 


Initially: 




csi := false; 


CS2 := false; 


-icsi A 


-1CS2 


} 


} 






ai := false; 


a2 := false; 






} 


} 



The algorithm uses two boolean variables ai and a2. We introduce two variables csi and CS2, 

where cs^ is true if thread i is in its critical section. Each Thready expects that the other thread 
will not modify aj and csj. We formalize this expectation as the assumption: 

Ai = (aj = a- A cs, = cs •) 

We would like to verify that the algorithm achieves mutual exclusion, which is expressed as the 
invariant -•(csi A CS2). Unfortunately, this invariant cannot be verified directly. The final step is to 
strengthen the invariant to 

/ = ^(csi A CS2) A (csi ^ ai) A (cs2 ^ a2). 

Using the assumptions Ai and A2 and the strengthened invariant /, our checker verifies that Dekker's 
algorithm achieves mutual exclusion. 
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In this example, the environment assumptions are quite simple. The subtlety of the algorithm is 

reflected in the invariant which had to be strengthened by two conjuncts. In general, the complexity 
of the assertions needed by our checker reflects the complexity of the synchronization patterns used 
in program being checked. 



6.2 Reader- Writer Locks 

The next example applies thread-modular reasoning to a reader-writer lock, which can be held in 
two different modes, read mode and write mode. Read mode is non-exclusive, and multiple threads 
may hold the lock in that mode. On the other hand, holding the lock in write mode means that no 
other threads hold the lock in either mode. Acquire operations block when these guarantees cannot 
be satisfied. 

We implement a reader- writer lock using two variables: an integer w, which identifies the thread 
holding the lock in write mode (or 0 if no such thread exists), and an integer set r, which contains 
the identifiers of all threads holding the lock in read mode. The following atomic operations express 
acquire and release in read and write mode for thread i: 

acq_write(w, r) =^ (w = 0 A r = 0 A w' = i)„ 

acq_read(w, r) =^ (w = 0 A r' = r U {i})r 

rel_write(w, r) =^ (w' = 0)„ i (w = i) 

rel_read(w, r) =^ (r' = r \ {i})r i (« S r) 

For a thread to acquire the lock in write mode, there must be no writer and no readers. Similarly, 
to acquire the lock in read mode, there must be no writer, but there may be other readers, and the 
result of the acquire operation is to put the thread identifier into the set r. The release operations 
are straightforward. All of these lock operations respect the following data invariant RWI and the 
environment assumption RWAi: 

RWI = (r = 0 V w = 0) 
RWAi = (w = i w' = «) A (i G r <^ i G r') 

We illustrate the analysis of reader-writer locks by verifying the following program, in which the 
variable x is guarded by the reader-writer lock. Thread2 asserts that the value of x is stable while 
the lock is held in read mode, even though Threadi mutates x while the lock is held in write mode. 

Reader-writer lock example 



1 

Variables: 


Threadi : 




1 

Thread2 : 


int w, X, y; 


acq_write(w, 


r); 


acq_read(w, r) ; 


int_set r; 


X := 3; 




y := x; 




rel_write(w, 


r); 


assert y = x; 


Initially: 






rel_read(w, r) ; 


w = 0 A r = 0; 









The appropriate environment assumption for this program 

Ai = RWAi A (i e r X = x') A (i = 2 y = y') 
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states that (1) each thread i can assume the reader-writer assumption RWAi, (2) if thread i holds the 
lock in read mode, then x cannot be changed by another thread, and (3) the variable y is modified 
only by Thread2. This environment assumption, together with the data invariant RWI, is sufficient 
to verify this program using our checker. 

Although the reader-writer lock is more complex than the mutual-exclusion lock described earlier, 
the additional complexity of the reader-writer lock is localized to the annotations RWAi and RWI 
that specify the lock implementation. Given these annotations, it is encouraging to note that the 
additional annotations required to verify reader- writer lock clients are still straightforward. 

6.3 Time- Varying Mutex Synchronization 

We now present a more complex example to show the power of our checker. The example is derived 
from a synchronization idiom found in the Prangipani file system [TML97] . 

For each file, Frangipani keeps a data structure called an inode that ccmtains pointers to disk 
blocks that hold the file data. Each block has a busy bit indicating whether the block has been 
allocated to an inode. Since the file system is multithreaded, these data structures are guarded by 
mutexes. In particular, distinct mutexes protect each inode and each busy bit. However, the mutex 
protecting a disk block depends on the block's allocation status. If a block is unallocated (its busy 
bit is false), the mutex for its busy bit protects it. If the block is allocated (its busy bit is true), 
the mutex for the owning inode protects it. The following figure shows a highly simplified version 
of this situation. 



Time-varying mutex program 



Variables: 


Threadi : 


Thread2 : 


int block; 


acq(m_inode) ; 


acq(m_busy) ; 


boolean busy; 


if (-linode) { 


if (-ibusy) { 


boolean inode; 


acq(m_busy) ; 


block := 0; 


int m_inode ; 


busy : = true ; 


assert block = 0; 


int m_busy; 


rel (m_busy) ; 


} 




inode := true; 


rel(m_busy) ; 


Initially: 


} 




inode = busy 


block := 1; 






assert block = 1; 






rel(m_inode) ; 





The program contains a single disk block, represented by the integer variable block, and uses a 
single bit busy to store the block's allocation status. There is a single inode whose contents have 
been abstracted to a bit indicating whether the inode has allocated the block. The two mutexes 
iii_inode and iii_busy protect the variables inode and busy, respectively. 

The program contains two threads. Threadi acquires the mutex m_inode, allocates the block if 
it is not allocated already, and sets block to 1. Since Threadi is holding the lock on the inode that 
has allocated the block, the thread has exclusive access to the block contents. Thus, the subsequent 
assertion that the block value remains 1 should never fail. 

Thread2 acquires the mutex m_busy. If busy is false, the thread sets block to 0 and asserts that 
the value of block is 0. Since Thread2 holds the lock on busy when the block is unallocated, the 
thread should have exclusive access to block, and the assertion should never fail. 

We now describe annotations necessary to prove that the assertions always hold. First, the lock 
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m.inode protects inode, and the lock m.busy protects busy: 

Ji = (iii_inode = i (iii_inode' = i A inode' = inode)) A 
(m.busy = i (m.busy' = i A busy' = busy)) 

In addition, if busy is true, then block is protected by m_inode; otherwise, block is protected by 
m.busy: 

Ki = (busy A m_inode = « block = block') A 
(-■busy A m.busy = i block = block') 

Finally, the busy bit must be set when the inode has allocated the block. Moreover, the busy bit 
can be reset only by the thread that holds the lock on the inode. We formalize these requirements 
as the invariant / and the assumption Li respectively. 

I = (m_inode = 0 A inode) => busy 
Li = (m_inode = i A busy) => busy' 

With these definitions, the complete environment assumption for each thread i is: 

Ai = JiAKiA Li 

Given Ai and /, our checker is able to verify that the assertions in this program never fail. 

This example illustrates the expressiveness of our checker. By comparison, previous tools for 
detecting synchronization errors [Ste93, SBN+97, FFOO] have been mostly limited to finding races 
in programs that only use simple mutexes (and, in some cases, reader-writer locks). However, 
operating systems and other large-scale systems tend to use a variety of additional synchronization 
mechanisms, some of which we have described in the last few sections. Other synchronization idioms 
include binary and counting semaphores, producer-consumer synchronization, fork-join parallelism, 
and wait-free non-blocking algorithms. Our experience to date indicates that our checker has the 
potential to handle many of these synchronization disciplines. 

7 Conclusions 

The ability to reason about the correctness of large, multithreaded programs is essential to ensure 
the reliability of such systems. One natural strategy for decomposing such verification problems is 
procedure-modular verification, which has enjoyed widespread use in a variety of program analysis 
techniques for many years. Instead of reasoning about a call-site by inlining the corresponding pro- 
cedure body, procedure-modular verification uses some specification of that procedure, for example, 
a type signature or a precondition/postcondition pair. 

A second, complementary decomposition strategy is assume-guarantee decomposition [Jon83a], 
which avoids the need to consider all possible interleavings of the various threads exphcitly. Instead, 
each thread is analyzed separately, with an environment assumption providing a specification of the 
behavior of the other program threads. 

This paper presents an automatic checker for multithreaded programs, based on an assume- 
guarantee decomposition. The checker relies on the programmer to provide annotations describing 
the environment assumption of each thread. A potential concern with any annotation-based analysis 
technique is the overhead of providing such annotations. Our experience applying our checker to 
a number of example programs indicates that this annotation overhead is moderate. In particular, 
for many common synchronization idioms, the necessary environment assumptions are simple and 
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intuitive. The environment assumption may also function as useful documentation for multithreaded 

programs, providing benefits similar to (formal or informal) procedure specifications. 

We believe that verification of large, multithreaded programs requires the combination of both 
thread-modular and procedure-modular reasoning. However, specifying a procedure in a multi- 
threaded program is not straightforward. In particular, because other threads can observe interme- 
diate states of the procedure's computation, a procedure cannot be considered to execute atomically 
and cannot be specified as a simple precondition/postcondition pair. Combining thread-modular 
and procedure-modular reasoning appropriately is an important area for future work. We hope that 
this paper provides a suitable foundation for further development in this area. 
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A Proofs 

This appendix contains the proofs of the Thread-Modular and Invariant Verification Theorems. We 
begin with a lemma relating transitions of a thread S and its translation \S\q for actions A and G. 
The lemma states that a transition of S may be simulated by 0 or more steps of \S\q, provided the 
transition satisfies G. If it does not satisfy G, then \S\q goes wrong. 
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Lemma 1 (Translation Simulation) Let A,G G Action where G is reflexive. 

1.1 (<72,^2) and G(ai, (72), then (az.I^zl^). 

1.2 //(criji"!) wrong, f/ien (cti, |S'i]g) ->* wrong. 

1.3 If{ai,Si) -^s {(^2,82) and ^G{ai,a2), then (cti,|S'i]^) ^* wrong. 

Proof of 1.1 The proof is by structural induction on the derivation of (cri, ^i) -^s {<^2, S2)- We 
show three representative cases: 

Case 1 [action ok]: In this case, Si = X [Y, X{ai,a2), Y{ai,a2), and S2 = skip. Therefore, 



Case 2 [choice]: In this case, ai = a2, Si = TiaT2, and S2 = Ti where i G {1, 2}. Therefore, 



Case 3 [seq step]: In this case, = Ti; T2, (ai, Ti) (0-2, Ui), and ^2 = Ui; T2. By induction, 
(ai,[Ti]^) -^t {<^2,lUiU)- Therefore, 



where [seq step]* denotes possibly many applications of the rule [SEQ step]. 

Case 4 [assoc]: In this case, (Ti = (73, = (Ti; Ta); T3, and 82^ Ti; {T2; T3). Therefore, 



((7i,[5il^) = {<JuA*;X i{Y AG);A*) 



((Ji, skip; X I (Y A G); A*) by [loop done] and [seq step] 

->s {cri,X i {YAG);A*) by [seq skip] 

-^s {C2,A*) by [action ok], [seq step], and [seq skip] 
= (a2,[skip]^) 



MSiU) = (^i,A*;([ril^n[T2l^)) 

(ai,[Til^n[T2l^) 



by [loop done], [seq step], and [seq skip] 
by [choice] 




(^2, [UiU; [T2l^) by [SEQ step]* 
= (^2, [52]^) 



i^idSiU) = {<Ji,{lTiU;lT2]^);lT3U) 

(ai, [Til^; ([T2]^; iTa]^)) by [assoc] 

= (^2,1^21^) 



The remaining cases are similar. 



□ 



Proof of 1.2 1 

There are two cases: 



The proof is by structural induction on the derivation of (c7i,S'i) 



wrong. 
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Case 1 [action wrong]: In this case, Si = X lY, X{ai, (72), and -■y(cri, (72). This implies that 
{ai,X I {Y A G)) -^s wrong by rule [action wrong]. Therefore, 

= {auA*-X l{YAGy,A*) 

— >J (cti, skip; X I {Y A G); A*) by [loop done] and [seq step] 

(fJi , X i (F A G) ; ^* ) by [SEQ SKIP] 

—^s wrong by [sEQ wrong] 

Case 2 [seq wrong]: In this case, = Ti; T2 and (ai, Ti) —^s wrong. By induction, (cti, [TiJq) - 
wrong. Therefore, 

^* (£7i,skip; [Ti]^; |T2]^) by [loop done] and [seq step] 
{cTi , [Ti]^; |T2]^) by [SEQ SKIP] 

—^l wrong by [SEQ step]* and [SEQ WRONG] 

□ 

Proof of 1.3 The proof is by structural induction on the derivation of {ai,Si) {(^21 82)- 
There are three cases: 

Case 1 [action ok]: In this case. Si = X [ Y, X{ai,a2), Y{cri,CF2), and -10(0-1, 0-2). This 
implies that {cri,X [ {Y AG)) -^s wrong by rule [action wrong]. Therefore, 

(^i,[^i]g) = {'Ji,A*-X i{YAG);A*) 

— >* (cTi, skip; X I {Y A G); A*) by [loop done] and [seq step] 

{(Ti,X i{Y AG);A*) by [SEQ SKIP] 

—^s wrong by [SEQ wrong] 

Case 2 [seq step]: In this case. Si = Ti;T2 and (cri,ri) (c72,J7i), and ^2 = J7i;r2. By 
induction, (cri, [TiJ^) — >* wrong. Therefore, 

-^l wrong by [seq wrong]* 

where [SEQ wrong]* refers to a derived rule in which the first statement of a sequential composition 
goes wrong after possibly many steps. 

Case 3 [seq skip], [assoc], [choice], [loop done], [loop unroll]: None of these transitions 
update the store. Hence, a2 = <Ji- From the hypotheses of the lemma, G is reflexive, which 
contradicts the hypothesis -•G(ai,cr2). 

□ 

We next show that the translation begins with a yield point at which the abstraction of the other 
threads may make an arbitrary number of steps. 
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Lemma 2 Let A,G G Action where G is reflexive. Given any store a and statement S, {a, IS]q) 

(^,^; I^l^)- 

Proof Proof is by structual induction on S. Two representative cases are shown: 
Case 1 S = SiaS2: In this case, [5]^ = A*; {[Sii^nlS2]^). Therefore, 

(a, ISj^) {t, {A; a*); (I^il^DlSa]^)) by [loop unroll] 

{<y,A; (^*; (I5il^n[52]^))) by [assoc] 

Case 2 5 = 5i; ^2: By induction, {a, (a. A; {Sij^) . Therefore, 

(a, {A; [S2U) by [seq step]* 

(a,A;([5il^;[52]^)) by [assoc] 



□ 



Before stating the next lemma, we define the following translation on parallel states. This 
function simplifies the notation for constructing an i-abstraction from a parallel program in a given 
state. 

: Par State SeqState 
l{a,S, I ••• I Sn)h = {<J,m'Z) 
|wrong]j = wrong 

The assume-guarantee decomposition to use in the translation is implicit from the context. We may 
now show that any step taken by a parallel thread either can be simulated by every i-abstraction of 
the program or causes at least one i-abstraction to go wrong. 

Lemma 3 Let P = Si \ ■ ■ ■ \ Sn be a parallel program with assume-guarantee decomposition 
{Ai,Gi), . . . , {An, Gn)- Let 61 = (cti, P) for some store ai G Store. If 61 — >p 62, then either: 

1. Vj e l..n. [ei],- ^* 

2. 3j e l..n. [Gi]^- ^* wrong 

Proof The proof is by case analysis on the rule used to derive Oi -^p O2: 
Case 1 [parallel]: In this case, let 

e2 = (a2,5i I ••• \Ti\ ■■■ \Sn) 
where {ai,Si) — >s (0-2, Tj). There are two cases: 
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Case 1.1 G,(cri,(T2): By Lemma 1.1, [6i]j — |62li. Also for j ^ i, the definition of |6i|j 
yields 

I©lL- -^*s {<^uAj; l^jlep by Lemma 2 

— ("'27 because Gi{ai,a2) and C Aj 

= 102], 

Thus, Vj e l..n. [Gil, [62],. 

Case 1.2 -iGj(iTi, 0-2): Lemma 1.3 indicates that |6]i = (ai, [5'^]^'.) ^* wrong. 

Case 2 [parallel wrong]: (cti, Sj) wrong for some i. By Lemma 1.2, |6i]i = (ai, -^l 
wrong. 

□ 

We now extend the previous lemma to parallel execution sequences of any length. 

Lemma 4 Let P = Si \ ■ ■ ■ \ Sn be a parallel program with assume- guarantee decomposition 
{Ai, Gi), . . . , {An, Gn)- Let 61 — {ai,P) for some store a\ € Store. If 81 ^* 82, then either: 

1. Vj G l..n. [81], [82], 

2. 3j G l..n. [8i]j ^* wrong 

Proof Proof is by induction on k, the length of the derivation of 81 — >* 82: 

Case 1 A; = 0: In this case, 82 = 81 and Vj G l..n. |8i]j — >J |82]j is trivially satisfied. 

Case 2 A; > 0: In this case, 81 — >p~^ 83 — >p 82 where, by induction, one of the following two 
cases holds: 

Case 2.1 Vj G l..n. |8i]j l^sjj- Lemma 3 applied to 83 — >p 82 indicates that one of the 
following holds: 

1. Vj G l..n. |83]j ^* 182],: Consider any j G l..n. In this case, we have l<di]j ^* [82],. 

2. 3j G l..n. |83]j ^* wrong: We know that [81]^- |83lj ^* wrong. Thus, part 2 of the 
lemma is proven. 

Case 2.2 3j G l..n. |8i]j ^* wrong: This implies the second condition in the statement of the 
lemma is satisfied. 

□ 

The Thread-Modular Verification Theorem from Section 4 follows directly from this lemma. 

Theorem 1 (Thread-Modular Verification) Let P — Si \ ■ ■ ■ \ Sn be a parallel program with 
assume- guarantee decomposition {A\, Gi), . . . , {An, Gn)- For all a G Store, if\li G l..n. (a, [S'jjg') 7^* 
wrong, then {a, P) y^* wrong. 

Proof This theorem is a direct consequence of Lemma 4. □ 

The machinery developed to prove the previous theorem may also be used to prove the Invariant 
Verification Theorem, restated below. 
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Theorem 2 (Invarieint Verification) Let P = Si \ ■■ ■ \ Sn be a parallel program with assume- 
guarantee decomposition {A\,G\), . . . , {An, Gn), and let Init and I he sets of stores. Suppose: 

1. Init C I 

2. \/i e l..n. Gi^{I^ I') 

3. \/i e l..n. Vc7 e Init. {a, ISij^i) y^* wrong 
Then I is an invariant of P with respect to Init. 

Proof To show that / is an invariant of P with respect to Init, we show that for all cti S Init, 
if {ai,P) — >* (a'2,P2), then a2 S /. The proof is by induction on the length k of the derivation of 
(ai,P) (a2,P2). 

Case 1 fc = 0: In this case, a2 = cri & Init, and (72 € / by condition 1. 

Case 2 A; > 0: In this case, {ai,P) -^p~^ (^3,^3) — >p (172, P2), where the inductive hypothesis 
ensures that 0-3 e /. Let 

Ps = Ti I • • • I Ti I • • • I r„ 
P2 = Ti \ ■■■ \ Ui \ ■■■ \ Tn 

where (0-3, Tj) -^s (0-2, Ut). By Lemma 4 and condition 3, it must be the case that 

[(ai,P)]. [(a3,P3)li 

7^* wrong 

Given this fact and the transition (a^jTi) {a2,Ui), Lemma 1.3 shows that G{a3,a2). This, 
combined with G I and condition 2, implies that /(a'2)- 

□ 
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